9/15/22, 12:47 PM AZ-900 Exam –Free Actual Q&As, Page 1 | ExamTopics
Topic 1
Question #262
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that
might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
Your Azure environment contains multiple Azure virtual machines.
You need to ensure that a virtual machine named VM1 is accessible from the Internet over HTTP.
Solution: You modify an Azure firewall.
Does this meet the goal?
A. Yes
B. No
Correct Answer: A
Azure Firewall is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It's a fully stateful
firewall as a service with built-in high availability and unrestricted cloud scalability.
In this question, we need to add a rule to Azure Firewall to allow the connection to the virtual machine on port 80 (HTTP).
References:
https://docs.microsoft.com/en-us/azure/firewall/overview
foreverlearner Highly Voted 2 years, 4 months ago
You can either modify a firewall or modify a NSG. For basic allow/deny traffic, NSG is enough. But the same can be achieved with Firewall
as well.
"The Azure Firewall service complements network security group functionality. Together, they provide better "defense-in-depth" network
security. Network security groups provide distributed network layer traffic filtering to limit traffic to resources within virtual networks in
each subscription. Azure Firewall is a fully stateful, centralized network firewall as-a-service, which provides network- and application-level
protection across different subscriptions and virtual networks." https://docs.microsoft.com/en-us/azure/firewall/firewall-faq
upvoted 43 times
Chris0105 1 year, 5 months ago
You are right. see as well question #133, so it must be firewall or NSG. I actually thought it was just NSG - seems I am wrong.
upvoted 3 times
lehoang15tuoi 1 year, 9 months ago
Your logic is not clear. To put it simply, both Firewall and NSG can be used to block traffic. Think of them like 2 gates on the same
walkway. You open one and close one, can you pass through both? The NSG default rule is blocking all inbound traffic, so if you don’t
do anything with it, it doesn’t matter what you do with the firewall.
upvoted 11 times
Mozbius_ 9 months, 2 weeks ago
EXACTLY my chain of thought. But then again... They didn't specify that a NSG has been set up (NSG's are not set by default when
you create a vm...) so the only thing that could prevent a vm from communicating on port 80 is the firewall...
upvoted 1 times
thebadfella 1 year ago
Guys, forget about the question for a moment and look at your on-prem infra, you need to whitelist in FW first for any legitmate
inbound access. So answer is "YES"
upvoted 2 times
PhilB1000 Highly Voted 2 years, 7 months ago
https://docs.microsoft.com/en-us/azure/firewall/firewall-faq#what-is-the-difference-between-network-security-groups-nsgs-and-azure-
firewall
What is the difference between Application Gateway WAF and Azure Firewall?
The Web Application Firewall (WAF) is a feature of Application Gateway that provides centralized inbound protection of your web
applications from common exploits and vulnerabilities. Azure Firewall provides inbound protection for non-HTTP/S protocols (for example,
RDP, SSH, FTP), outbound network-level protection for all ports and protocols, and application-level protection for outbound HTTP/S.
upvoted 13 times
jokerbase Most Recent 3 months, 3 weeks ago
Follow this article:
https://adamtheautomator.com/azure-firewall/
We can choose Azure Firewall or NSG. It's also working together. We also can create a VM without NSG. Almost the example they created
the VM with NSG because it's free. Azure Firewall is not free. That's all.
upvoted 2 times
MS_Learner 7 months, 1 weekago
Got Feb 10, 2022, this question came in a way where they list 4 options, so I choose Azure firewall.
upvoted 2 times
mikamozg 9 months, 4 weeks ago
Firewall, WAF and NSG
Application rules aren't applied for inbound connections. So if you want to filter inbound HTTP/S traffic, you should use Web Application
Firewall (WAF). Or alternatively you can tweak NSG because by default everything is closed on NSG once it is created and assigned to vnet,
subnet or vnic.
Below is tutorial how to setup firewall and vnet, but if you go through you will see that all conversation is about outbound trafic not
inbound may be because Azure Firewall application rules aren't applied for inbound connections. So we left with WAF or NSG.
https://docs.microsoft.com/en-us/azure/firewall/tutorial-firewall-deploy-portal
upvoted 1 times
mikamozg 9 months,4 weeks ago
in addition if you go through the deploy guide you will see that making changes to firewall is not enough you always need to do
additional things like create default route in ip tables or create default route in VM in order to direct traffic to firewall. so answering to
test question making changes on Firewall is not enough.
upvoted 1 times
mikamozg 9 months, 4 weeks ago
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/nsg-quickstart-portal
You open a port, or create an endpoint, to a virtual machine (VM) in Azure by creating a network filter on a subnet or aVM network
interface. You place these filters, which control both inbound and outbound traffic, on a network security group attached to the
resource that receives the traffic.
upvoted 1 times
mikamozg 9 months, 4 weeks ago
everytime you search for the correct answer or solution NSG comes up:
https://docs.microsoft.com/en-us/answers/questions/182838/need-to-enable-ports-80-and-443-along-with-inbound.html
https://www.examtopics.com/exams/microsoft/az-900/custom-view/ 435/598